24
For the same Django application you should use the same secret key to ensure that the same client can properly use the service if the load balancer redirects his/her traffic mid session. Otherwise, surely undefined behavior will arise. More specifically, all these things would break:
- sessions, the data decode will break, that is valid for any session backend (cookies, database, file based or cache).
- password reset token already sent won’t work, users will have to ask a new one.
- comments form (if using django.contrib.comments) will not validate if it was requested before the value change and submitted after the value change. I think this is very minor but might be confusing for the user.
- messages (from django.contrib.messages) won’t validate server-side in the same timing conditions as for comments form.
source. As a side note, I completely agree that the secret_key aspect of Django feels dangerous and mystic, despite it being very explainable, and is not treated by the documentation with any sort of clarity.
Source:stackexchange.com